Attacks on my Blog

During last weekend this blog experienced number of attacks. I suspect [or know :)] that majority of these attacks have been performed by my students who I teach Computer Networks Security lectures. It is possible that some other people tried to break into my blog also. I tracked some of IP addresses of attackers. (Yes, I know that you can use various anonymous proxies to hide origin).

Fortunately, these attacks were not successful, but with little bit better reading and careful analyzing they could be. Also interesting is that I was traveling and I didn’t have proper access to my blog at that time to perform upgrade or any other administrative action.

Fact is that we talk to students, among other things, about SQL injection attacks and XSS issues and prevention. They’ve chosen to try this knowledge against my blog. I use WordPress as my blogging platform and I missed to update it from version 2.10 to 2.13 even WordPress announced that there are security holes in version 2.10 and that releases 2.13 include fixes for several publicly known minor XSS issues, one major XML-RPC issue, and a proactive full sweep of the WordPress codebase to protect against future problems. This problem is described here.

Today I upgraded my blogging platform to WordPress 2.13 and I hope it is secure up to moment when new security hole is found in it (as for thousands of other bloggers who use WordPress).

I was in the clasroom, too, and have given some money to a kid who did that attack to buy himself some beer, because he made me laugh like hell!

To Marko: sorry, but you’ll have to eat your own words: it WAS a threat. Minor modifications to a procedure performed in a class and the blog would be at his hands within seconds. Therefore, you cannot put an attack to un-upgraded software into NOT-A-THREAT category.

To explain myself: don’t upgrade your blog/forum/whatever and just let some time waiting for someone to try an exploit that is written. Happened with unpatched Red Hat Linux 7.3 (I’ve had a god damn shadow file sent to my e-mail account, which means he took root priviledges somehow), happend with phpBB (one specific forum was dead for a month due to an admin’s “I hate upgrades” attitude) and many other apps/OSes/software. There you go – if it’s not a threat, what the hell it is than? He could do http://www.google.com and find the right exploit within minutes. If you wanna learn it the hard way, that’s fine by me, you don’t even have to use a firewall if you ask me, it’s NOT my problem, but I’m beeing paranoid and I’m patching EVERYTHING last two years.

boysha

Hi. The student that got beer from you and I were trying out the exploit few minutes after it was published on bugtraq/FD. We did not hide our IP, as we only modified the page client-side (I’m guessing that’s not illegal, it was just kind of ironic to exploit our security professor’s blog). I don’t know what you were doing during that class, but what we did here was a simple js client side injection, as the injected code wasn’t stored anywhere on the server. Perhaps there was another entry point? Earlier today, there was no index page on the conwex.info/blog, visitors got the directory listing, but the php engine was still working so we couldn’t find anything interesting [DP comment: At this period of time WordPress upgrade was taking place] 🙂 I apologize for any inconvenience we might have caused.

boysha

Now that I think of it, worst thing we could have done would be getting the professor to click on our specially crafted link to his blog (something like conwex.info/blog/…”> but url encoded) and steal his cookie, providing that he was logged in at the time.

boysha

This time blog was under threat and fortunately survived without interruptions and problems, next time… who knows. Above episode shows that nobody is secure enough. I hope that WordPress 2.13 hasn’t (too much) exploits and this and other WordPress based blogs will be safe for prolonged period of time. 🙂